UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The system must use a reverse-path filter for IPv4 network traffic when possible.


Overview

Finding ID Version Rule ID IA Controls Severity
V-22420 GEN003613 SV-45736r1_rule ECSC-1 Medium
Description
Reverse-path filtering provides protection against spoofed source addresses by causing the system to discard packets with source addresses when the system has no route or if the route does not point towards the interface on which the packet arrived. Reverse-path filtering should be used whenever possible. Depending on the role of the system, reverse-path filtering may cause legitimate traffic to be discarded and should be used in a more permissive mode or not at all.
STIG Date
SUSE Linux Enterprise Server v11 for System z 2012-12-13

Details

Check Text ( C-43100r1_chk )
Verify the system configured to use a reverse-path filter for IPv4 network traffic.

# grep [01] /proc/sys/net/ipv4/conf/*/rp_filter|egrep "default|all"

If all of the resulting lines do not end with "1", this is a finding.
Fix Text (F-39136r1_fix)
Configure the system to use a reverse-path filter for IPv4 network traffic.
Edit /etc/sysctl.conf and add a setting for "net.ipv4.conf.all.rp_filter=1" and "net.ipv4.conf.default.rp_filter=1".
# sysctl -p